| title | Create a Basic SKU virtual network gateway: PowerShell |
|---|---|
| titleSuffix | Azure VPN Gateway |
| description | Learn how to create a Basic SKU virtual network gateway for a VPN connection to your on-premises network, or to connect virtual networks. Use these instructions to create either a policy-based, or route-based VPN gateway. |
| author | cherylmc |
| ms.service | azure-vpn-gateway |
| ms.topic | how-to |
| ms.date | 01/23/2026 |
| ms.author | cherylmc |
| ms.custom | devx-track-azurepowershell |
This article helps you create a Basic SKU Azure VPN gateway using PowerShell. The VPN gateway you create can be either RouteBased, or PolicyBased, depending on your connection requirements. A VPN gateway is used when creating a VPN connection to your on-premises network. You can also use a VPN gateway to connect VNets.
Important
The Basic SKU has certain feature and performance limitations and shouldn't be used for production purposes. For more information about gateway SKUs, see About gateway SKUs.
:::image type="content" source="./media/create-gateway-basic-sku/gateway-diagram.png" alt-text="Diagram that shows a virtual network and a VPN gateway." lightbox="./media/create-gateway-basic-sku/gateway-diagram-expand.png":::
- The left side of the diagram shows the virtual network and the VPN gateway that you create by using the steps in this article.
- You can later add different types of connections, as shown on the right side of the diagram. For example, you can create site-to-site and point-to-site connections. To view different design architectures that you can build, see VPN gateway design.
The steps in this article create a virtual network, a subnet, a gateway subnet, and a VPN gateway (virtual network gateway) using the Basic SKU. The article steps specify a RouteBased VPN type. You can also specify a PolicyBased VPN type using the steps in this article. Once the gateway creation completes, you can then create connections. If you want to create a gateway using a SKU other than the Basic SKU, see the Portal article.
The Basic SKU has certain feature and performance limitations and shouldn't be used for production purposes. Some of the limitations of the Basic SKU are:
[!INCLUDE Basic SKU limitations]
These steps require an Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
[!INCLUDE powershell]
Create an Azure resource group with New-AzResourceGroup. A resource group is a logical container into which Azure resources are deployed and managed. If you're running PowerShell locally, open your PowerShell console with elevated privileges and connect to Azure using the Connect-AzAccount command.
New-AzResourceGroup -Name TestRG1 -Location EastUS
Create a virtual network with New-AzVirtualNetwork. The following example creates a virtual network named VNet1 in the EastUS location:
$virtualnetwork = New-AzVirtualNetwork `
-ResourceGroupName TestRG1 `
-Location EastUS `
-Name VNet1 `
-AddressPrefix 10.1.0.0/16
Create a subnet configuration using the New-AzVirtualNetworkSubnetConfig cmdlet.
$subnetConfig = Add-AzVirtualNetworkSubnetConfig `
-Name Frontend `
-AddressPrefix 10.1.0.0/24 `
-VirtualNetwork $virtualnetwork
Set the subnet configuration for the virtual network using the Set-AzVirtualNetwork cmdlet.
$virtualnetwork | Set-AzVirtualNetwork
The gateway subnet contains the reserved IP addresses that the virtual network gateway services use. Use the following examples to add a gateway subnet:
Set a variable for your virtual network.
$vnet = Get-AzVirtualNetwork -ResourceGroupName TestRG1 -Name VNet1
Create the gateway subnet using the Add-AzVirtualNetworkSubnetConfig cmdlet.
Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.1.255.0/27 -VirtualNetwork $vnet
Set the subnet configuration for the virtual network using the Set-AzVirtualNetwork cmdlet.
$vnet | Set-AzVirtualNetwork
Each VPN gateway must have an allocated public IP address. At this time, new Basic SKU VPN gateways use the Static allocation method for public IP address and the Standard public IP address SKU. These requirements may be different from previously created Basic SKU VPN gateways. Use the following example to create a public IP address for your VPN gateway.
$gwpip = New-AzPublicIpAddress -Name "VNet1GWIP" -ResourceGroupName "TestRG1" -Location "EastUS" -AllocationMethod Static -Sku Standard -Zone 1,2,3
The gateway configuration defines the subnet and the public IP address to use. Use the following example to create your gateway configuration.
$vnet = Get-AzVirtualNetwork -Name VNet1 -ResourceGroupName TestRG1
$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
$gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name gwipconfig -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id
Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU. Once the gateway is created, you can create a connection between your virtual network and another virtual network. Or, create a connection between your virtual network and an on-premises location.
Create a VPN gateway using the New-AzVirtualNetworkGateway cmdlet. In this example, we create a route-based Basic SKU VPN gateway. You can create a policy-based gateway instead by specifying -VpnType "PolicyBased".
New-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 `
-Location "East US" -IpConfigurations $gwipconfig -GatewayType "Vpn" `
-VpnType "RouteBased" -GatewaySku Basic
You can view the VPN gateway using the Get-AzVirtualNetworkGateway cmdlet.
Get-AzVirtualNetworkGateway -Name Vnet1GW -ResourceGroup TestRG1
To view the public IP address for your VPN gateway, use the Get-AzPublicIpAddress cmdlet. Example:
Get-AzPublicIpAddress -Name VNet1GWpip1 -ResourceGroupName TestRG1
When you no longer need the resources you created, use the Remove-AzResourceGroup command to delete the resource group. This deletes the resource group and all of the resources it contains.
Remove-AzResourceGroup -Name TestRG1
Once the gateway finishes creating, you can create a connection between your virtual network and another virtual network. Or, create a connection between your virtual network and an on-premises location. See the following articles: